Examples of using tcpdump command for network troubleshooting

The tcpdump utility allows you to capture packets that flow within your network to assist in network troubleshooting. The following are several examples of using tcpdump with different options. Traffic is captured based on a specified filter. A variety of options exist, including:

Options

Description

-D

Print a list of network interfaces.

-i

Specify an interface on which to capture.

-c

Specify the number of packets to receive.

-v, -vv, -vvv

Increase the level of detail (verbosity).

-w

Write captured data to a file.

-r

Read captured data from a file.

Installing tcpdump utility

On most of the unix/linux systems you would not find the tcpdump package already installed. To install the latest version use the appropriate package manager on your system. For example, In case of CentOS/RHEL servers:

# yum install tcpdump

Examples of using tcpdump for network troubleshooting

1. Display list of network interfaces

To print a list of network interfaces available on which tcpdump can capture packets:

2. Capturing on a specific interface

As seen from the ‘tcpdump -D’ command, for each network interface, a number and an interface name is printed. The interface name or the number can be supplied to the -i flag to specify an interface on which to capture. For example, to capture the packets on the interface eth0:

As shown in this example, when tcpdump finishes capturing packets, it reports the following:

packets captured: This is the number of packets that tcpdump has received and processed.

packets received by filter: A filter can be specified on the command line and only those packets that match the defined filter are processed by tcpdump and counted.

packets dropped by kernel: This is the number of packets that were dropped due to a lack of buffer space. Use the -B option to set the buffer size.

4. Increase the details (verbosity) of the output

To increase the detail (verbosity) of the output, use the -v option, or -vv for even more verbose output, or -vvv for the most verbose level of output:

# tcpdump –i 1 –v
# tcpdump –i 1 -vv
# tcpdump –i 1 –vvv

5. Capture the data to a file

Using the tcpdump utility with the -w option allows you to write captured data to a file. This allows the captured data to be read by other network analysis tools, such as Wireshark. The following example captures data to a file named capture.out:

# tcpdump –i 1 –v –c2 –w capture.out

6. reading captured data

You can also read captured data from a file by using the –r option:

# tcpdump –r capture_file

Some more examples of tcpdump command

Many other options and arguments can be used with tcpdump. The following are some specific examples of the power of the tcpdump utility.

1. Display traffic between 2 hosts

To display all traffic between two hosts (represented by variables host1 and host2):

# tcpdump host host1 and host2

2. Display traffic from a source or destination host only

To display traffic from only a source (src) or destination (dst) host:

# tcpdump src host
# tcpdump dst host

3. Display traffic for a specific protocol

Provide the protocol as an argument to display only traffic for a specific protocol, for example tcp, udp, icmp, arp: